On Monday, 7 July, the president signed into law the Intelligence Authorization Act for Fiscal Year (FY) 2014 (Pub. L. 113-126), which requires intelligence contractors with security clearances to promptly report network and information system penetrations and provide government investigators access to such systems. This new statutory cybersecurity reporting requirement for cleared intelligence contractors is largely consistent with a reporting requirement applicable to cleared U.S. Department of Defense contractors under the National Defense Authorization Act for FY 2013.
Read our detailed advisory opinion here.
This post was originally published on the Hogan Lovells Focus on Regulation blog.
Hogan Lovells today published an update to the White Paper A Sober Look at National Security Access to Data in the Cloud, which compares national security access to data stored with Cloud service providers in a number of countries. The White Paper adds analyses of the laws of Brazil, Italy, and Spain, and reflects the April 2014 opinion of the European Court of Justice invalidating the EU Data Retention Directive. The updated paper now compares the national security access laws of the United States, Australia, Brazil, Canada, France, Germany, Italy, Spain, and the United Kingdom. Continue Reading
Two developments in Russian law this summer could significantly limit the ability of cloud and other online services to publish online content and to make Russian data remotely available online. The first is the advancement of legislation requiring data operators to store locally in Russia information of Russian citizens. The second is the countdown to the effective date of new rules that impose onerous registration, content, and censorship requirements on certain website operators and electronic communication services. We address each here in turn. Continue Reading
Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined. Continue Reading
The French data protection authority has announced that following the “cookie sweep day” due to take place the week commencing 15 September 2014, it will launch a program of website audits in October to verify compliance with the CNIL’s 5 December 2013 cookie recommendations. The audit will be conducted either through on-site inspections, or through remote electronic inspections. Not all cookies require prior consent by the Internet user under the CNIL’s December recommendations. However, for those cookies that require prior consent (e.g., cookies set by third party advertising networks), the CNIL will verify how consent is obtained. Under the CNIL’s December 2013 recommendation, consent can be obtained either through an explicit click, or through the Internet user’s decision to navigate further within the site notwithstanding the persistent banner informing the user that cookies may be placed on the site. Continue Reading
The Hogan Lovells Privacy and Information Management practice has received a ”first tier” ranking from the ratings guide Legal 500 US in the “Technology: Data Protection and Privacy” category. Partners Christopher Wolf and Marcy Wilder were also each recognized as “leading lawyers” in the field. Legal 500 notes that the Privacy and Information Management practice at Hogan Lovells is “‘among the best’ at advising ‘not only on where the law is, but where it is heading’.”
On 10 July, the UK government announced cross-party backing for emergency legislation designed to ensure that the police and security services can continue to access communications data held by communications service providers for the purpose of investigating criminal activity and protecting national security. This is in response to the recent European Court of Justice judgment of 8 April 2014 in joined cases (C-293/12 Digital Rights Ireland & C-594/12 Seitlinger) which declared the Data Retention Directive (2006/24/EC) invalid. Continue Reading
In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice (ECJ), including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.
Hogan Lovells has launched the German-language “Datenschutz” blog covering important aspects of German Privacy Law as well as EU-related news. Among the items covered is a German court decision on employee monitoring.
The German Federal Labor Court (Bundesarbeitsgericht) has published its reasoning underlying a June 2013 decision in which it declared invalid the dismissal by a large supermarket of an employee who was found in possession of stolen goods. According to the Court, the factual evidence leading to the dismissal—obtained upon inspection of the employee’s workplace locker without the presence of the employee—was gathered in violation of the employee’s right to privacy established by the German Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”). The ruling represents a shift in case law regarding employee data privacy were German courts are likely to exclude from civil law proceedings information collected in violation of statutory data privacy requirements. Companies operating in Germany should be aware of these requirements in order to avoid losing lawsuits as a consequence of non-compliance with strict local data privacy rules. Continue Reading